Skip to main content

Sign binary commands

This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.

Prerequisites

  • Executables must be present in the path variable of the operating system for all tools used for signing.

  • PKCS11 config file is mandatory for jarsigner and jSign.

  • Provide either keypair alias or certificate fingerprint for signing.

Configuration

The default tool used for signing will be based on the operating system. For example:

  • Signature algorithm can be configured by using the <--sigalg string> flag (applied based on available options provided by the tool used for signing).

  • Digest algorithm can be configured by using the <--digalg string> flag (applied based on available options provided by the tool used for signing).

  • When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).

  • When a specific kind of file needs to be signed, use the <--tool string> flag (eg : --tool apksigner will only sign *.apk file).

  • The minimum SDK version supported for APK signer is 18.

Sign

Sign commands begin with:

smctl signature <keypair alias>

or

smctl sign <keypair alias >

Flags

The sign command supports these flags:

tabla 1. Flags for managing signatures

Shortcut

Flag

Description

--all-metadata

Capture all signature metadata. Default is to capture all metadata.

--certificate string

Provide the path of the certificate to be used for signing. 

Format:

--certificate="<value>"

--checksum-after-signing

Capture the checksum in the signature metadata after signing the file. Leave blank to capture by default.

--checksum-before-signing

Capture the checksum in the signature metadata before signing the file. Leave blank to capture by default.

--config-file string

Provide the path to the PKCS11 config file. 

Format:

--config-file="<value>"

-d

--digalg string

Specify the digest algorithm to use for signing (default based on the tool used for signing).

Format:

--digalg="<value>"

--digest-algorithm

Capture the digest algorithm in the signature metadata. Leave blank to capture by default.

--exit-non-zero-on-fail

Returns a non-zero status if any files fail to be signed during bulk signing.

--failfast

Stops bulk signing immediately upon encountering the first file that cannot be signed.

--file-location

Capture the file location in the signature metadata. Leave blank to capture by default.

--file-name

Capture the file name in the signature metadata. Leave blank to capture by default.

-i

--input string

Provide the path to the file or folder to be signed. If you specify a folder, all files inside the folder will be signed. 

Format:

--input="<value>"

--keychain-path string

Provide the path to Keychain (This flag only applies to Apple productsign)

-k

--keypair-alias string

Keypair alias to be used for signing. 

Format:

--keypair-alias="<value>"

--openssl-pkcs11-engine string

Provide the path to the OpenSSL PKCS11 engine.

Nota

This flag only applies to osslsigncode.

--pkcs11-module string

Provide the absolute path to the PKCS11 library.

-s

--sigalg string

Signature algorithm to use (default based on the tool used for signing). 

Format:

--sigalg="<value>"

--signing-tool

Capture the signing tool in the signature metadata. Leave blank to capture by default.

--timestamp

Use this flag to enable or disable timestamping for your signature. The syntax is --timestamp=false to disable timestamping. By default, the timestamp is enabled (TRUE).

--timestamp-flag

Capture the timestamp in the signature metadata. Leave blank to capture by default.

-t

--tool string

Specify the tool to use for signing (leave it blank to sign with the default signing tool based on the file extension).

Format:

--tool="<value>"

--tsa-url

Capture the timestamp (TSA) URL in the signature metadata. Leave blank to capture by default.

-v

--verbose

Verbose logging for signing.

-h

--help

Help for signing.


Subcommands

The sign command supports these subcommands:

smctl signature <subcommand>

or

smctl sign <subcommand>

tabla 2. Subcommands for managing signatures

Subcommand

Description

remove

Remove signature

verify

Verify signed binary.